Cisco ASA and IOS devices support object-groups, which can be defined in place of IP addresses, services, security tags (Trustsec SGTs) etc. Object groups simplify configuration, reducing the number of ACEs in an ACL by referencing an object group consisting of multiple hosts/services etc. Configurations become easier to maintain, as you can modify the object group and this will be reflected in other sections of the configuration referencing it. Without object groups the parameters of the configuration may have to modified in multiple locations instead of just once.
Cisco ASA version 9.x supports 6 types of object group:
- ICMP-type – consist of ICMP messages types.
- Network – consist of group-objects which allow nesting of other network object groups and network-object which contain 1 or more host entries. Network object-groups can be used in the SRC and/or DST fields in an ACL.
- Protocol – consist of protocols (TCP, UDP, eigrp, ospf etc). Protocol object-groups can be used in the protocol field of an ACL
- Security – consist of TrustSec SGT tags, these can be used in the SRC and DST fields in an ACL in similar fashion to a network object-group
- Service – consist of a group of services, ports and port ranges. Service object-groups can be used in the SRC and DST fields in an ACL
- User – consist of user groups defined in the local database or nested AD user groups imported from AD.
Cisco IOS devices do not have the same support as ASA firewalls do, they support: Network, Security and Service object groups
ASA Example Usages
In the example below we can see a good example of the usage of each of the object-groups on the ASA.
The example below from the “show running-config access-list” command on the ASA, demonstrates using a network object-group (DMVPN_SPOKES) as the SRC for an inbound rule on the outside interface. The second ACE demonstrates using a service object-group (WEB) for the defined services, in addition to a network object-group (LAN) as the SRC. If you use an object-group for a SRC in an ACE does not mean you must use an object-group as the DST, you can still mix and match using “host x.x.x.x” etc.
Using the “show access-list” command you will notice that the same commands displayed above in the running configuration, are now expanded fully displaying each ACE with each individual ip addresses, ports etc.